Im looking at malware which hallows out processes. I am able to break when the malware calls "WriteProcessMemory" and patch the OEP of the newly injected code with EBFE (Jmp to Self), then let the new process run attach my debugger to the new instance and dump it with the OEP figured out and everything. Ok great. Problem is, I cant reconstruct IAT. Using ImpRec, I cant seem to give it the OEP it wants (it keeps complaining). The newly injected code is in a different memory segment than the original process' .TEXT/.Data sections (does that matter?). This is a badly written question only because Im new at this and am stuck on even figuring out what to ask. Please advise. Any tips on rebuilding IAT on Malware that hallows out processes?
A forum for reverse engineering, OS internals and malware analysis
Why do you say Hallowed instead of Hollowed? Rebuilding IAT is RE 101 and possible with the right tools and knowledge. Sometimes this is needed by hand, which is painful but gets the job done. It's not a fun process, best of luck in your endeavors
Accept nothing less than STATUS_SUCCESS
Thanks, appreciate the response. I guess im on the right track, its just a real big pain in the ass :).
When you say "sometimes you need to do it by hand", do you mean manually script the process of tracking down calls to addresses and resolving them to a function name?
When you say "sometimes you need to do it by hand", do you mean manually script the process of tracking down calls to addresses and resolving them to a function name?